frontends-team-compass icon indicating copy to clipboard operation
frontends-team-compass copied to clipboard

Published 20 hours ago verified publisher icon jupyterlab

Security precautions

Open afshin opened this issue 6 years ago • 8 comments
trafficstars

Introduction

On the cusp of our 1.0 release, we should revisit our security procedures to make sure we are taking reasonable precautions to protect our users and ourselves.

I propose the following checklist as a model for how we handle these issues.

Risk factors

We recognize that our project is high profile and it could be a vector of attack in a few ways:

Vector Severity Risk
1 Malicious code injection into JupyterLab source high low
2 Compromised dependencies in package.json files high moderate
3 Publishing compromised Python packages to PyPI/Conda high low
4 Publishing compromised JS packages to NPM high moderate

Mitigation - how we handle these risks

1. Malicious code injection into JupyterLab source

  • [ ] Know your maintainers (KYM): careful trust-building in each maintainer who has merge rights
  • [ ] A sound code review process for every pull request; all PRs must be reviewed by someone who is not the author and must pass the automated test suite
  • [ ] Mandatory two-factor authentication (2FA) on GitHub for maintainers who can merge pull requests

2. Compromised dependencies in package.json files

  • [ ] Regularly reviewing outdated dependencies before each release
  • [ ] GitHub's NPM dependency notifications

3. Publishing compromised Python packages to PyPI/Conda

  • [ ] Mandatory two-factor authentication (2FA) for PyPI
  • [ ] Mandatory two-factor authentication (2FA) on GitHub for users who merge conda-forge pull requests

4. Publishing compromised JS packages to NPM

  • [ ] Mandatory two-factor authentication (2FA) for NPM

afshin avatar Jun 28 '19 13:06 afshin

We don't publish to conda directly. It is done via merging a pull request on the conda-forge repo.

blink1073 avatar Jun 28 '19 13:06 blink1073

Cheers, updated the list.

afshin avatar Jun 28 '19 13:06 afshin 

* Know your maintainers (KYM): careful trust-building in each maintainer who has publishing rights.

KYM for each maintainer who has merge rights as well as those that have publishing rights. Note that those two sets are distinct. For example, our conda-forge package has a maintainer with publish rights (i.e., merge rights on the conda-forge feedstock) who does not have merge rights in the jlab repo.

jasongrout avatar Jun 28 '19 13:06 jasongrout

Mandatory two-factor authentication (2FA) for PyPI.

Note that there isn't proper 2FA for PyPI. There is some work in progress that they call 2FA, but it is more of a 1.5FA

vidartf avatar Jun 28 '19 13:06 vidartf

AFAIK the only remaining issue is recovery codes: https://github.com/pypa/warehouse/issues/5800

blink1073 avatar Jun 28 '19 13:06 blink1073

I haven't tried publishing on PyPI since I added 2FA to my account.

afshin avatar Jun 28 '19 13:06 afshin

@jasongrout You're totally right. I had that in three spots and when I consolidated, I did not clarify. Updated now.

afshin avatar Jun 28 '19 13:06 afshin

@blink1073 I mean that 2 factors are not needed on upload, only to generate a token that is stored for use on upload (https://github.com/pypa/warehouse/issues/5815). This means there is only one factor when uploading (something stored on your computer).

vidartf avatar Jun 28 '19 14:06 vidartf